CVE-2026-22980
Published: 23 January 2026
Summary
CVE-2026-22980 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-22980 is a use-after-free vulnerability in the Linux kernel's nfsd (NFS server daemon) component, stemming from a race condition when writing to the v4_end_grace attribute. This race occurs between the write operation and server shutdown, potentially leading to access of freed memory, particularly the reclaim_str_hashtbl structure. The issue arises because nfsd_mutex cannot be held across nfsd4_end_grace() calls due to deadlock risks with client tracking upcalls, and interactions with the laundromat work queue during shutdown exacerbate the problem.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N), as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability, such as arbitrary code execution or system crashes via the use-after-free (CWE-416).
Mitigation involves applying the upstream kernel patches referenced in the stable git commits, which introduce a new nfsd_net field "client_tracking_active" protected by nn->client_lock to ensure safe client tracking calls, and a "grace_end_forced" flag to safely schedule the laundromat work item after v4_end_grace writes without restarting it post-shutdown. These changes prevent the race by enforcing proper synchronization during grace period management.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4321
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold…
more
nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called by the landromat work queue and this doesn't require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access. However, we must be sure that writing to v4_end_grace doesn't restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held. So this patch adds a nfsd_net field "client_tracking_active" which is set as described. Another field "grace_end_forced", is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This "grace_end_forced" field bypasses other checks for whether the grace period has finished. This resolves a race which can result in use-after-free.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in nfsd enables privilege escalation via arbitrary code execution from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the use-after-free race condition in Linux kernel nfsd through application of specific upstream patches.
Implements kernel memory protections like KASLR and supervisor-mode execution prevention to mitigate exploitation of the nfsd use-after-free vulnerability.
Restricts system to least functionality by disabling unnecessary nfsd services, preventing exposure to the v4_end_grace race condition.